Telstra is worried that proposed decryption laws could break equipment and software it relies on and increase the risk of confidential details of its network operations falling into the wrong hands.
In a submission [pdf] to the Department of Home Affairs, published late Friday, Australia’s top telco raised significant security concerns about the bill as it is currently drafted.
Secret architecture mods
One of its key concerns is that one of its suppliers will be told to modify a piece of networking equipment or its operating software.
The supplier - served with a technical assistance notice or technical capability notice - would be subjected to secrecy provisions, making it unable to inform its customers of the modification.
Telstra worries the first it will know of the change is when it starts experiencing “service degradation, network faults or other impacts on its business”.
Similarly, it was unlikely that modifying a piece of equipment or its OS could be used to simply target one or more users; there would likely be collateral damage with “non-target users” swept up in ensuing network problems.
Telstra indicated it would be difficult for downstream customers to troubleshoot sudden faults caused by the modification.
But more importantly for Telstra, it would be liable for service outages because the bill only affords immunity to the company served the notice. Others in the line of fire because of that notice are afforded no protections.
Source code breach risk
In addition to this, Telstra is worried about having to release details of the inner-workings of its network; even though the bill makes it a jailable offence for anyone involved to disclose it, merely having that information shared outside Telstra opens it to greater risk of being accidentally or purposely disclosed or breached.
Telstra said that a notice may require it to “supply sensitive technical information, including software source code and service design documentation”.
“Sharing this type of commercially sensitive information could, of itself, present a security risk if it ends up in the wrong hands,” Telstra said.
Indirect access to device makers
Telstra also said that it routinely received “sensitive technical information” from device makers prior to a new handset being launched.
Telstra is worried that the Australian government or law enforcement will demand access to that information via carriers like Telstra.
Because that would put Telstra in breach of contracts it has signed with the device makers, it worried that device makers would simply pull the pin and stop sharing data with Australian telcos.
“This has potential to adversely affect the competitiveness of Australian telco providers in international markets and their ability to deploy the latest technology developments - for example, new smartphones and IoT devices,” it said.
Clear text OTT messages
In addition, Telstra is also worried that law enforcement could use the bill as a way to get access to clear text sent over OTT messaging services like WhatsApp or Viber, given there are no existing laws that would otherwise enable this.
“There is still scope under the draft bill … to require access to the clear content of communications sent or received on such services,” Telstra said.
Telstra asked for a specific prohibition to be added to the bill to prevent clear text communications from being targeted.
Telstra said that there remained opportunities to improve the “workability” of the proposed regime of voluntary and forced cooperation with authorities.
It wanted to see a greater level of consultation built into the bill text so that telcos were not asked to do the impossible.
It also asked for the bill to be referred to the Parliamentary Joint Committee on Intelligence and Security “in order to thoroughly test the draft bill’s provisions and minimise the risk of unanticipated impacts”.